Basic Information:

Version Specific Information:

Cucumber 1.0 i686

fixed in python3-3.6.4-i686-2

Cucumber 1.0 x86_64

fixed in python3-3.6.4-x86_64-2

Cucumber 1.1 i686

fixed in python3-3.6.4-i686-2

Cucumber 1.1 x86_64

fixed in python3-3.6.4-x86_64-2

Details:

=================================== Overview ===================================
The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4
does not ensure a nonzero channel value, which allows attackers to cause a
denial of service (divide-by-zero error and application crash) via a crafted
wav format audio file.
================================ Initial Report ================================
From https://bugs.python.org/issue32056:
I found a bug in wave.py because there is no check for self._channel in
_read_fmt_chunk function. When I try to open a wav file which channel is zero,
it will crash bacause of divided by zero in initfp function.
================================= Our Analysis =================================
----- Affected Products -----
Python3 up to and including Python 3.6.4 that has not had the patch from
https://github.com/python/cpython/commit/0b68584514d98d955c849d44b88ccbd4476b0858.patch
applied is vulnerable to this. At the time of this writing, 3.6.4 is the latest
version of Python3; future versions may or may not be affected.
----- Scope and Impact of this Vulnerability -----
Allows for an attacker to cause a denial of service (application crash) in any
application using the standard Python wave library on an arbitrary file.
----- Fix for this Vulnerability -----
This vulnerability has been fixed by
https://github.com/python/cpython/commit/0b68584514d98d955c849d44b88ccbd4476b0858.patch.
================================= Our Solution =================================
We have applied a modified version of the aforementioned patch and rebuilt. Our
modified patch can be found at:
http://mirror.cucumberlinux.com/cucumber/cucumber-1.1/source/lang-base/python3/patches/00010_CVE-2017-18207_0b68584514d98d955c849d44b88ccbd4476b0858.patch